Update Oracle TLS set up and add TSG

Clare Zheng (Shanghai Wicresoft Co Ltd) · Clare Zheng (Shanghai Wicresoft Co Ltd) · commit 2f2059b694aa · 2024-05-27T16:43:14.000+08:00
diff --git a/articles/data-factory/connector-oracle.md b/articles/data-factory/connector-oracle.md
@@ -7,7 +7,7 @@ ms.service: data-factory
 ms.subservice: data-movement
 ms.custom: synapse
 ms.topic: conceptual
-ms.date: 05/15/2024
+ms.date: 05/27/2024
 ms.author: jianleishen
 ---
 
@@ -109,43 +109,46 @@ To enable encryption on Oracle connection, you have two options:
 
 -	To use **Triple-DES Encryption (3DES) and Advanced Encryption Standard (AES)**, on the Oracle server side, go to Oracle Advanced Security (OAS) and configure the encryption settings. For details, see this [Oracle documentation](https://docs.oracle.com/cd/E11882_01/network.112/e40393/asointro.htm#i1008759). The Oracle Application Development Framework (ADF) connector automatically negotiates the encryption method to use the one you configure in OAS when establishing a connection to Oracle.
 
--	To use **TLS**:
+-	To use **TLS**, set up `truststore` for SSL server authentication by applying one of the following three methods:
 
-    1.	Get the TLS/SSL certificate info. Get the Distinguished Encoding Rules (DER)-encoded certificate information of your TLS/SSL cert, and save the output (----- Begin Certificate … End Certificate -----) as a text file.
+    - **Method 1 (recommended)**:
 
-        ```
-        openssl x509 -inform DER -in [Full Path to the DER Certificate including the name of the DER Certificate] -text
-        ```
+        1.	Install the TLS/SSL certificate by importing it into the local certificate store. The built-in Oracle driver is able to load the needed certificate from the certificate store. 
 
-        **Example:** Extract cert info from DERcert.cer, and then save the output to cert.txt.
+        2.	In the service, configure the Oracle connection string with `EncryptionMethod=1`.
 
-        ```
-        openssl x509 -inform DER -in DERcert.cer -text
-        Output:
-        -----BEGIN CERTIFICATE-----
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-        XXXXXXXXX
-        -----END CERTIFICATE-----
-        ```
-    
-    2.	Build the `keystore` or `truststore`. The following command creates the `truststore` file, with or without a password, in PKCS-12 format.
+    - **Method 2**:
 
-        ```
-        openssl pkcs12 -in [Path to the file created in the previous step] -out [Path and name of TrustStore] -passout pass:[Keystore PWD] -nokeys -export
-        ```
+        1. Get the TLS/SSL certificate information. Get the Distinguished Encoding Rules (DER)-encoded or Privacy Enhanced Mail (PEM)-encoded certificate information of your TLS/SSL cert, and save the output (----- Begin Certificate … End Certificate -----) as a text file.
 
-        **Example:** Create a PKCS12 `truststore` file, named MyTrustStoreFile, with a password.
+            ```
+            openssl x509 -inform (DER|PEM) -in [Full Path to the DER/PEM Certificate including the name of the DER/PEM Certificate] -text
+            ```
 
-        ```
-        openssl pkcs12 -in cert.txt -out MyTrustStoreFile -passout pass:ThePWD -nokeys -export  
-        ```
+        2.	In the service, configure the Oracle connection string with `EncryptionMethod=1` and the corresponding `TrustStore` value. For example, `Host=<host>;Port=<port>;Sid=<sid>;User Id=<username>;Password=<password>;EncryptionMethod=1;TrustStore= data:// -----BEGIN CERTIFICATE-----<certificate content>-----END CERTIFICATE-----`
 
-    3.	Place the `truststore` file on the self-hosted IR machine. For example, place the file at C:\MyTrustStoreFile.
-    4.	In the service, configure the Oracle connection string with `EncryptionMethod=1` and the corresponding `TrustStore`/`TrustStorePassword`value. For example, `Host=<host>;Port=<port>;Sid=<sid>;User Id=<username>;Password=<password>;EncryptionMethod=1;TrustStore=C:\\MyTrustStoreFile;TrustStorePassword=<trust_store_password>`.
+            >[!Note]
+            >- The value of trust store field should be prefixed with `data://`.
+            >- When specifying content for multiple certificates, specify the content of each certificate between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. The number of dashes (`-----`) should be the same before and after both `BEGIN CERTIFICATE` and `END CERTIFICATE`. For example:<br>
+            >```
+            >-----BEGIN CERTIFICATE-----<certificate content 1>-----END CERTIFICATE-----`
+            >-----BEGIN CERTIFICATE-----<certificate content 2>-----END CERTIFICATE-----`
+            >-----BEGIN CERTIFICATE-----<certificate content 3>-----END CERTIFICATE-----`
+            >```
+            > - The `TrustStore` field supports content up to 8192 characters in length.
 
+   - **Method 3**:
+    
+        1. Create the `truststore` file with strong ciphers like AES256.
+    
+            ```
+            openssl pkcs12 -in [Full Path to the DER/PEM Certificate including the name of the DER/PEM Certificate] -out [Path and name of TrustStore] -passout pass:[Keystore PWD] -keypbe AES-256-CBC -certpbe AES-256-CBC -nokeys -export
+            ```
+        2.	Place the `truststore` file on the self-hosted integration runtime machine. For example, place the file at `C:\MyTrustStoreFile`. 
+    
+        3.	In the service, configure the Oracle connection string with `EncryptionMethod=1` and the corresponding `TrustStore`/`TrustStorePassword` value. For example, `Host=<host>;Port=<port>;Sid=<sid>;User Id=<username>;Password=<password>;EncryptionMethod=1;TrustStore=C:\\MyTrustStoreFile;TrustStorePassword=<trust_store_password>`.
+    
+    
 **Example:**
 
 ```json
diff --git a/articles/data-factory/connector-troubleshoot-oracle.md b/articles/data-factory/connector-troubleshoot-oracle.md
@@ -6,7 +6,7 @@ author: jianleishen
 ms.service: data-factory
 ms.subservice: data-movement
 ms.topic: troubleshooting
-ms.date: 04/30/2024
+ms.date: 05/27/2024
 ms.author: jianleishen
 ms.custom: has-adal-ref, synapse
 ---
@@ -51,6 +51,14 @@ This article provides suggestions to troubleshoot common problems with the Oracl
         - SHA384 
         - SHA512
     
+## Error code: UserErrorFailedToConnectOdbcSource
+
+**Message**: `"Cannot load trust store", or "SSL Handshake Failure reason [error:OA000086:SSL routines::certificate verify failed]"` 
+
+**Cause**: The `truststore` is not appropriate for OpenSSL 3.0, as the `truststore` file is generated using weak ciphers like RC4, MD5 and SHA1.
+
+**Recommendation**: You need to re-create the `truststore` using the strong ciphers like AES256. Refer to this [section](connector-oracle.md#linked-service-properties) for details about setting up TLS connection using `truststore`.
+
 ## Related content
 
 For more troubleshooting help, try these resources:
